This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Detection Trap: Improving Cybersecurity by Learning from the Secret Service

Intruders often understand the networks they target better than their defenders do.

It's surprisingly easy to break into the White House grounds — in March, someone slipped over the fence and roamed the compound before being caught. Nevertheless, the White House is still the most secure public space in the world, because whether they get tackled on the lawn, arrested at the front door, or stopped at the stairs to the residence, intruders consistently get caught before they reach the president.

Contrast this with how we protect the high-value assets in our data centers. Despite a $75 billion-a-year cybersecurity industry, attackers are still able to not only break in but to hide for months or years inside without being discovered. This is called dwell time, and the current average is about 146 days. For comparison, the White House break-in lasted about 17 minutes.

Dwell time is the most critical measure of network security, because any intruder with time to explore a network will almost certainly find a high-value target and cause serious damage. It is also the most striking distinction between physical security — where dwell time is generally short — and computer security. The Secret Service can permit a porous border because their understanding and control of the White House lets them focus on catching intruders after only a few moments inside.

The march of recent breaches has been typified by the failure to detect intruders, or overworked security teams that missed alerts even when their detection worked. Security teams today are laser-focused on this problem and are doubling down on detection to solve it. This is the right problem to solve, but focusing on detection as the solution is a trap. The real problem is that intruders often understand the networks they target better than their defenders do, giving them a tremendous advantage.

The Defender's AdvantageThroughout history, defenders' greatest advantage has been their ability to choose and control their ground. The Secret Service knows every nook and cranny of any location where the president appears. This is why dwell time for intruders inside the White House is so short: they're on the defender's home turf, and every step could be their last.

On the network, defenders have largely ceded this advantage, because most don't know what their environment looks like. If security teams don't know how their applications operate across their infrastructure, they don't have control. If they have an outdated picture of their infrastructure (your network six weeks ago isn't the same as your network today) or they don't know what is connected to their network, they don't have control. And if they're missing critical information, such as which infrastructure is running their most critical applications, they don't have control.

Why are defenders in this mess? Networks are much more complicated and dynamic than the physical world, but they're also far easier to monitor. It's a problem that screams out for artificial intelligence, machine learning, and a string of other cutting-edge buzzwords. But most of these efforts are still focused on detection: catching bad guys in the act, not understanding and controlling the environments in which they are acting.

The good news is that understanding our networked environments is doable. The problem is we've been pointing our human analysts at computer-scale problems and our computers at human problems. Again, we can learn a lesson from the Secret Service.

Secret Service agents have decades of training under their belts and are optimized to solve the hardest problems: they must decide in a split second whether someone in a crowd is reaching for a gun, a protest sign, or just a cellphone. They must distinguish between someone having a bad day and someone plotting an assassination. They must separate an exercise of free speech from a destructive plot.

But Secret Service agents are also the scarcest and most expensive resource the agency has — those decades of training don't come cheap. So the Secret Service doesn't use agents to solve all their problems. Much of the Secret Service's effort is focused on solving simpler problems before they reach their agents, so those agents can focus on the hardest ones.

Think of your security team as your Secret Service agents. Expecting them to keep up with the constant dynamism of your network doesn't make sense. But on the network, every server, every virtual machine, every cloud instance, and every infrastructure device comes with a built-in sensor. If we could leverage this and keep up with changes in our environment, we could give our security teams the information they need to do what they are trained for: catch the bad guys.

To do this, we need automated systems, we need orchestration, and we need machine learning. But we need them pointed at the right things — the computer-scale problems that prevent us from understanding and controlling our environments. Understanding and control are how defenders have been successful for millennia, in all kinds of environments and circumstances. Our task isn't to throw out these lessons and start over; it's to learn from this experience and adjust our approach to account for our new environment.

Remember that fence jumper's 17 minutes inside the compound. He should never have gotten inside, nor should he have been able to spend so long before he was caught. But when he was stopped, there were still multiple layers of security between him and the president. This is because the Secret Service isn't caught by the detection trap. The Secret Service focuses on control first. Security based on control doesn't mean defenders won't make mistakes — there will always be mistakes. It means that defenders can make mistakes and still be secure.

As head of cybersecurity strategy, Nathaniel is responsible for thought leadership, public engagement, and overseeing Illumio's security technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the ... View Full Bio

Because of the ever changing cyber threat landscape, and the pace at which our infrastructures are being attacked, using technology to assist our cyber defenders is an absolute requirement. However, it's a very important distinction to remember that technology does not solve our problems. PEOPLE solve problems. Technology is just a tool.

I have always found it interesting the White House has had as many intrusions as seen on the news (and not), or even that some get as far as they do. While it's easy to point to incompetence I rather like to see it as something else. The White House acts as a honeypot.

You see, similar to how one might set up a sweet server that is begging to be compromised to see what flies are attracted the honey, I suspect the White House acts in a similar fashion. For anyone who has stood outside the White House, there is an almost inviting accessibility to the grounds. What better way to quickly assess who in the neighborhood has malicious plans than to present a honeypot like the White House?

Now, speaking of dwell time, those with budget could utilize this same concept to border their inner critical data with inviting honeypots that would attract both one-hit-wonders and dwellers. The key is for those who would dwell, by sitting in the honeypot they are hurting themselves by providing extended time for InfoSec pros to find them and end their squatting reign. Expense may come to mind, but I suspect the cost and maintenance of an ESX server with a host of VMs spun out to act as a honeypot shield would pay off more in the end for some companies than by just relying on automation.

Adding good automation to the mix would just seal the deal. With honey.

As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .